perfloopnotify me →

Connect Google Cloud Platform telemetry.

Arbitrary aggregate questions over views you author. Never raw rows. Every query in your audit trail.

connector status: in development · this guide is the access contract it is built against · it can tighten but never widen

The grant surface

Three read-only grants. Nothing else.

  • roles/monitoring.viewerMetric time series and aggregate queries, label sets included. No logging.* permissions.
  • roles/cloudtrace.userSpan names, durations, status, service labels. Other attributes only as keys you approve per case. GCP can't scope traces finer than project, so the allowlist is our policy, checkable in your audit logs; if your spans carry payloads, start without this grant.
  • bigquery.dataViewer · your views onlyRead on authorized views you author. Columns you exclude don't exist for us; queries are aggregate-only, and your audit logs record the full SQL of each one.

Identity is workload identity federation: no keys, short-lived tokens, and every read recorded in your project under the identity you issued. Revocation is one deletion, on your side.

Setup

1 · identity

gcloud iam workload-identity-pools create perfloop --location=global
gcloud iam workload-identity-pools providers create-oidc perfloop \
  --location=global --workload-identity-pool=perfloop \
  --issuer-uri="https://id.perfloop.ai" \
  --attribute-mapping="google.subject=assertion.sub"

# the principal granted below:
PERFLOOP="principal://iam.googleapis.com/projects/$PROJECT_NUM\
/locations/global/workloadIdentityPools/perfloop/subject/$WORKSPACE_ID"

2 · audit visibility

# enable DATA_READ audit logs for logging, monitoring, and trace:
gcloud projects get-iam-policy $PROJECT --format=json > policy.json
# add auditConfigs for the three services, then:
gcloud projects set-iam-policy $PROJECT policy.json

3 · metrics + traces

gcloud projects add-iam-policy-binding $PROJECT \
  --member="$PERFLOOP" --role=roles/monitoring.viewer
gcloud projects add-iam-policy-binding $PROJECT \
  --member="$PERFLOOP" --role=roles/cloudtrace.user

Don't extract sensitive fields into metric labels; labels ride with the series.

4 · logs

# upgrade the bucket for sql analytics (irreversible), link bigquery:
gcloud logging buckets update prod-logs --location=global \
  --enable-analytics
gcloud logging links create perfloop-logs --bucket=prod-logs \
  --location=global

# author the views perfloop may query. you choose the columns;
# message bodies simply don't exist in them:
CREATE VIEW views.requests AS
  SELECT timestamp, severity, http_request, resource
  FROM perfloop_logs._AllLogs;

# grant read on the views dataset only.

Arbitrary aggregate questions, retroactive, no metric definitions up front. Aggregate-only responses are our policy and your audit logs prove it per query (jobConfig.queryConfig.query holds the full SQL). Want it platform-enforced? BigQuery's aggregation-threshold rules reject non-aggregate queries; trade-off: sparse groups get suppressed and time travel turns off.

5 · strict option · zero log permission

Log-based metrics you define, read with monitoring.viewer alone. Predefined and forward-only: the strongest posture, not the smoothest workflow.

What does not exist

  • No row reads. No logging.* role, no Logging-API calls, no raw-column SQL. Your audit logs prove it, query by query.
  • No columns beyond your views. What you excluded doesn't exist from our side.
  • No deploy webhooks. Verification keys off service.version already in your telemetry. Nothing is pushed to us.

Revocation

# one action, your side, effective immediately:
gcloud iam workload-identity-pools providers delete perfloop \
  --location=global --workload-identity-pool=perfloop

questions from your security team: security@perfloop.ai